No reason to panic, apparently: Redoing login details to become a regular thing

Citrix says there is no reason to panic after it asked customers to reset their passwords on its Sharefile service.

The file-dropping service rang in the new month with the announcement that it would begin regularly requiring users to change out their passwords. That new policy will begin this week, as all users are being asked to reset.

According to Citrix, there's no specific data breach or incident behind the move, but rather an intent to get out ahead of hackers who are farming leaked passwords from other breaches and trying them with Sharefile.

"There has been a constant increase in internet-account credential (usernames and passwords) theft. Those same credentials are often used to access other accounts," Citrix said in announcing the new policy.

"In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures."

While Citrix posted the new policy on its status page over the weekend, many customers did not get the news and, when greeted Monday with a reset request, were rightly concerned that something was not right.

"My organisation is a Citrix Sharefile user and we had all our users' accounts locked and a password reset issued," writes one Reg reader. "There was no warning that this was happening."

Another Reg reader notes that the presentation and rollout of the new policy by Citrix is not doing it any favors.

"Multiple users here thinking they were locked out as no message on the login screen," our tipster explains. "Email looks very spammy which is poor."

Users in the Reddit r/sysadmin community were similarly confused as to why the reset was spun out with so little warning and explanation to administrators who would now have to deal with concerned clients and end-users.

Citrix did not say how frequently users will be required to change out their passwords going forward, a spokesperson would only tell El Reg the resets would be "regularly scheduled" and "regularly-scheduled reset" and "based on our assessment of the evolving threat landscape."

If past findings are any indication, though, the company would be wise to use the forced resets sparingly. Back in 2016 the FTC found that users who are required to regularly change out their passwords tend to chose poor passwords that end up negating the potential benefits of regular resets.

"There is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily," said FTC chief technologist Lorrie Cranor.

"Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases." ®